What should be included in a high-level policy for third-party cybersecurity risks?

Security Strategy & RoadmapThird Party Risk Management (TPRM)
1.2k viewscircle icon3 Comments
Sort by:
Senior Information Security Manager in Software3 years ago

This should cover all of the main areas around third-party risk:

•    Third Party Service Providers
•    Third-Party Security Requirements
•    Third-Party Access Control
•    Information Exchange
•    Third-Party Contracts
•    Personnel Security
•    Software Procurement
•    Assessment, Monitoring and Audits
•    Contingency Plans
•    Foreign Countries

Chief Information Security Officer in Healthcare and Biotech3 years ago

For TPRM policy, the basic need is having quality vendor or partner to maintain the quality business eco system. 
Today's digital Era cybersecurity is one of the most important aspects to consider before having a digital integration. 
The requirements should be the base of cybersecurity should maintain and followed till the time information exchange is happening via digital channels.

Director in Construction3 years ago

I don't think it is a question that can be answered generically.  Your third party policy should indicate that an assessment of risks to your organization needs to be undertaken for third parties and based on the outcome of the assessment proper controls/governance be put in place.  For example if the third party stores confidential information then data management controls needs to be envisioned.  If the third party provides an operationally critical service then BCP/DR testing needs to be considered important.  If the third party supplies products that you use then the supply chain needs to be considered.  Don't forget about the third party's governance of their third parties (fourth, fifth etc party to you).  These all could cause your business concerns due to a cybersecurity issue.

Content you might like

Ransomware attacks are on the rise globally. What key areas can the government focus on to tackle the threat of ransomware?

Ban Ransomware payments49%

Tougher sentencing on breaches67%

Be proactive in finding the hackers/perpetrators78%

Implement stricter company compliance41%

Other (share below)1%

View Results

What do you think of your vendor for privileged access management?

Excellent!7%

Very good45%

Good26%

Fair / acceptable17%

Poor1%

Very poor2%

Unacceptable - I need a new one!

View Results

‘AI’ Business Model – With many components flowing into the AI domain (cost, data, E&C, people, value, strategy, duplication of everything, etc.), I’ve started to think about splitting out ‘AI’ from the operating model and putting it into a separate legal entity. This way, I could manage a) risk and compliance, b) cost, c) resource allocation, d) governance, e) IP, f) revenue generation, etc.

Of course, this isn’t new in general, but I’m especially interested in how this approach could help with the ongoing challenge of ensuring compliance with data privacy and regulations related to LLMs and data access/usage over time.

My question: Is anyone else thinking about this, or has anyone already done it? I know there are examples in the literature, but I wanted to float this here for general comments and discussion.

What models are in place for risk partners based in Line 2? What are the jobs to be done? How do they operate? What does the structure/operating rythms look like?

Read More Comments

How are you currently managing SIEM costs? Have you found effective ways to actually reduce storage costs for your SIEM?

Read More Comments